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© A method by which redundant network interface 
modules (NIM)s interconnecting the communication 
buses of two local area networks communicate with 
one another at predetermined time intervals over the 
communication buses of both networks. One of the 
redundant pair of NIMs is designated as the primary 
and the other as the secondary. Contents of the 
information communicated between the NIMs over 
the communication bus of the first network includes 
the status of the transmitting NIMs ability to commu- 
nicate with the second network and the information 
communicated between the NIMs over the commu- 
nication bus of the second network includes the 
status of the transmitting NIM's ability to commu- 
nicate with the first network. Based on the informa- 
tion exchanged, the failure of the NIMs to commu- 
nicate as scheduled, and the internal status of each 
NIM as understood by that NIM, the NIM decide 
when failover from the primary NIM to the secondary 
NIM occurs. 
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METHOD FOR CONTROLLING FAILOVER BETWEEN REDUNDANT NETWORK INTERFACE MODULES 



CROSS-REFERENCE TO RELATED APPLICA- 
TIONS 



The following copending patent applications re- 
late to the invention of the present application and 
are incorporated herein by reference: 

A. "Method for Control Data Base Tracking in a 
Redundant Processor" by P. McLaughlin et al, 
Serial No. 07/299,859, filed January 23, 1989; 
and 

B. "Apparatus for Providing a Universal Interface 
to a Process Control System" by A. J. Hahn et 
al, Serial NO. , filed 

Al! of the foregoing are assigned to the same 
assignee. 



modules of each network, particularly, the NIMs 
interconnecting the networks, as v/ell as by provid- 
ing redundant cables over which the modules of 
each network communicate. Because of the impor- 

5 tance of the functions performed by NIMs. provid- 
ing each NIM of a process control system with a 
secondary or back up has a high priority. However, 
there is a need for an improved method by which a 
primary NIM and secondary NIM of a redundant 

70 pair of NIMs in such a system communicate, and 
the information communicated so that both NIMs 
have the capability of knowing each others status 
and of determining, or of controlling, when the 
secondary NIM will take over the function of the 

75 primary NIM; or, stated another way, when the 
primary NIM will failover to the secondary NIM. 



BACKGROUND OF THE INVENTION 



(1) Field of the Invention: 

This invention is in the field of methods by 
which the primary and secondary network interface 
modules determine their respective status and that 
of the networks with which they communicate to 
determine when the primary module shall failover 
in deference to the secondary and in which the 
secondary module determines that the primary 
module has failed in order to assume the role of 
the primary module. 

(2) Description of the Prior Art: 

Process control systems which include a hier- 
archy of local area networks (LAN)s have been 
developed. An example of such a system is de- 
scribed and claimed in U. Patent No. 4,607,256, 
which issued to Russel A. Henzel on August 18, 
1986. Another such system is illustrated and de- 
scribed in the cross-referenced application entitled 
"Apparatus for Providing a Universal Interface to a 
Process Control System" the disclosure of which is 
incorporated by reference into this application. 

In such systems, network interface modules 
(NIM)s provide communication and data translation 
capabilities so that modules of the two networks 
interconnects by a NIM can communicate. The 
reliability and fault tolerance of process control 
systems are significantly increased by incorporat- 
ing in each network a standby, backup, secondary, 
or redundant module for each of the operating 



SUMMARY OF THE INVENTION 

20 

The present invention provides a method for 
communicating the respective status of redundant 
network interface modules (NIM)s between the 

25 modules and for controlling failover between the 
{NIM)s, one of which is designated as the primary 
NIM and the other as the secondary NIM. The 
NIMs are connected between the communication 
media of two local area networks (LAN)s so that the 

30 primary NIM can provide communication and data 
translation between the networks as required so 
that modules of one network can communicate with 
modules on the other.The secondary NIM of the 
redundant pair is available to provide the functions 

35 of the primary whenever failure of the primary NIM 
or failover of the primary NIM to the secondary 
NIM occurs. The primary and secondary NIMs 
communicate with each other at regular time inter- 
vals over the communication buses of both net- 

40 works. The information communicated is in the 
form of messages, more accurately status mes- 
sages, which include the status of the networks 
interconnected by the NIMs as perceived by each. 
The status messages transmitted by each MIN to 

45 the other over the communication bus of the first 
network includes the status of the NIM transmitting 
the information, the status of the second network 
as perceived by the transmitting NIM, and other 
information or data as required. The status mes- 

so sages transmitted by each NIM to the other over 
the communication bus of the second network in- 
clude the status of the NIM transmitting the in- 
formation, the status of the first network as per- 
ceived by the transmitting NIM as well as other 
information, or data, as required. 
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Communication of the NIMs with one of the 
networks, such as the first, will take priority over 
communication with the second for reasons ex- 
plained later. Some examples of the conditions 
resulting in failover of the primary NIM to the 5 
secondary NIM are: the primary NIM crashes, or 
fails; the primary NIM is unable to communicate 
with the first network and the secondary can; the 
primary NIM is unable to communicate with the 
second network, but otherwise is functioning prop- 70 
erly, and the secondary NIM can conqmunicate with 
both the first and second networks and the secon- 
dary NIM is otherwise functioning properly. FaiJover 
of the primary NIM to the secondary NIM will not 
occur if the secondary NIM is unable to commu- 75 
nicate with either the first or second network, or if 
the secondary NIM has an internal problem which 
prevents its proper operation, such as a hardware 
or software failure which has caused the secondary [ 
NIM to perform improperly, or to crash. ^ 20 

It is therefore an object of this invention to 
provide an improved method by which redundant 
network interface modules interconnecting the 
communication buses of two local area networks 
determine when the primary NIM shall failover to 25 
the secondary NIM based on information ex- 
changed between the two modules over the media 
of the two networks. 

It is another object of this invention to provide 
an improved method by which redundant network 30 
interface modules interconnecting the communica- 
tion buses of two local area networks determine 
when the primary shall fail over to the secondary 
without requiring any dedicated redundancy hard- 
ware. 35 

It is still another object of this invention to 
provide an improved method for controlling failover 
of a primary network interface module to the sec- 
ondary network interface module in a process con- 
trol system. 40 

It is yet another object of this invention to 
provide an improved method for controlling failover 
of a primary network interface module to the sec- 
ondary network module in a process control sys- 
tem within a predetermined period of time after the 45 
occurrence of a fault causing failover to prevent 
interrupting the process being controlled by the 
system. 

50 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other objects, features and advantages of the 
invention will be readiiy apparent from the following 55 
description of a preferred embodiment thereof, tak- 
en in conjunction with the accompanying drawings, 
although variations and modifications may be af- 



fected without departing from the spirit and scope 
of the novel concepts of the disclosure, and in 
which: 

Fig. 1 is a schematic block diagram of a process 
control system, the two local area networks of 
which are provided with redundant network inter- 
face modules which practice the method of this 
invention. 

Fig. 2 is a truth table of conditions that deter- 
mine when failover of the primary NIM to the 
secondary NIM occurs, when the secondary 
NIM terminates operation, and when no action 
takes place. 

DETAILED DESCRIPTION 

In Figure 1, process control system 10 includes 
local control network (LCN) 12, only a portion of 
which is illustrated, and universal control network 
(UCN) 14. LCN 12 includes a communication bus 
16, which in the preferred embodiment comprises 
redundant coaxial cables 16A and 16B. and UCN 
also includes a communication bus 18 which in the 
preferred embodiment also comprises redundant 
coaxial cables 18A and 18B. Communication be- 
tween LCN 12 and UCN 14 is provided by redun- 
dant network interface modules (NIM)s 20, which 
includes a pair of NIMs, 20A and 20B, with only 
one of the NIMs, such as NIM 20A providing such 
function as well as a data translation function at a 
given period of time. Under such circumstances, 
NIM-A is designated as the primary and NIM-B 
20B which has the same capabilities as NIM 20A, 
is designated as the secondary NIM since NIM-B is 
the backup for NIM-A 20A. NIM-A is directly con- 
nected to dual redundant cables 16A and 16B by 
redundant connectors 22A and 22B, and NIM-B is 
directly connected to cables 16A and 16B by con- 
nectors 24A and 24B. NIMs 20, in the preferred 
embodiment, are connected to redundant cables 
18A and 18-B of UCN 14, by drop cables 26A and 
26B for NIM-A and drop cables 28A and 28B for 
NIM-B. 

The modules of LCN illustrated in Fig. 1 in- 
clude a history module 30, a universal operator 
station module 32 and an application module 34. 
Universal operator station module 32 is the work 
station for one or more plant operators and pro- 
vides the interlace between the plant operator, or 
operators, and the process or processes of a plant 
for which the operators are responsible and which 
processes they monitor and control through the 
facilities and information provided by control sys- 
tem 10. For a more detailed description of LCN 12 
and of modules 30, 32, and 34 as well as other 
modules of LCN 12 which are not illustrated, refer- 
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ence is made to the teaching of U.S. Patent 
4,607,256. 

UCN 14 is provided with process manager 
modules (PM)s 36, 38, 40, and 42. For a more 
complete description of the the structure and func- 5 
tions of NIMs 20 and PM modules 36, 38, 40, and 
42 reference is made to the applications more 
completely identified in the section of this applica- 
tion entitled Cross-Reference to Related Patent Ap- 
plications. In the preferred embodiment, PM mod- io 
ules 36, 38, 40, and 42 provide control functions 
and also function as network interface modules 
between UCN 14 and input output networks which 
include input output (IO) modules. The IO modules 
which are not not illustrated translate analog or 15 
digital input data produced by devices such as 
valves, pressure switches, pressure gauges, ther- 
mocouples, and the like into signals compatible to 
a process module such as PM 36, and translate 
signals produced by a process modules such as 20 
PM 36 to analog or digital output signals compati- 
ble to such devices. -j 

In the preferred embodiment, both LCN 12 and ' 
UCN 14 are token passing local area networks 
(LAN)s typically with each module having a secon- 25 
dary or backup module available to take over for 
the primary module of a redundant pair. For exam- 
ple in LCN 12 history module 30, universal station 
module 32 and application module 34 each would 
normally be provided with a back up module to 30 
provide redundancy. LCN 12 may be provided with 
additional modules of the same or different types 
as is well known but which are not illustrated. In 
UCN 14 process modules 36, 38, 40, and 42 would 
normally be provided with a back up, or standby, 35 
module, but such redundant modules are not illus-J 
trated in Fig. 1 . 

The primary function of NIMs 20A and 20B is 
to provide communications between LCN 12 and 
UCN 14. The ability of NIMs 20A and 20B, particu- 40 
larly primary NIM-A to communicate with the mod- 
ules of LCN 12 is a key criteria in determining 
when primary NIM-A fails over to its secondary 
NIM-B. The ability of the NIMs 20A and 20B to 
communicate with LCN 12, particularly with univer- 45 
sal station module 32 is because module 32 pro- 
vides the operators of the process controlled by 
process control system 10 with a vantage point, or 
window, to observe, or monitor the process being 
controlled and how process control system 10 is so 
functioning. More particularly, module 32 provides 
the operators with information identifying when and 
where faults occur in the communication media or 
modules of any of the networks with which univer- 
sal station module 32 can communicate. Whenever 55 
a fault occurs and wherever it occurs, the respon- 
sibility of the operators of the process being con- 
trolled by system 10 is to take appropriate steps 



the find and fix the fault as quickly as possible. 

Since the communication media of both LCN 
12 and UCN 14 are redundant coaxial cables.a fault 
or faults limited to one of the two cables of either 
or both networks, will not normally interfere with 
communications between LCN 12 and UCN 14 
because each network has the capability for detect- 
ing faults in their redundant communication cabfes 
and of switching from the faulty cable ot the redun- 
dant, or back up, cable. 

In the normal operation of plant control system 
10 when all the modules and communication ca- 
bles of both networks are functioning properly, i.e., 
without any faults and both the primary NIM-A and 
the secondary NIM-B are both functioning without 
fault and no faults are present in any of their drop 
cables 22, 24. 26, 28. Under such circumstances, 
secondary NIM-B will transmit a status message to 
primary NIM-A at least once a second over. bus 18 
of UCN. This status message includes NIM-B's 
status, i.e. has NIM-B detected that it has suffered 
a hardware failure or a software failure; has NIM-B 
received a status message from primary NIM-A 
within the past one second over communication 
bus 18 of UCN 14; and whether secondary NIM-B 
is receiving signals from other modules of UCN 14. 
The receipt of such signals signifies that NIM-B 
can communicate with UCN 14 and that therefore 
UCN 14 is functioning properly as perceived by 
NIM-B. 

NIM-A transmits at least once a second to 
NIM-B a status message which includes the hard- 
ware and software status of NIM-A; whether NIM-A 
has received a status message from NIM-B within 
the previous second over communication bus 18, 
and whether NIM-A is receiving messages from 
and transmitting messages to other modules of 
LCN 12. 

Primary NIM-A will transmit a similar status 
message to NIM-B over the LCN's communication 
bus 16 except that this message from NIM-A will 
include information as to whether NIM-A has re- 
ceived a status message from NIM-B within the 
past one second over communication bus 16 of 
LCN 12 and the status of UCN 14 as perceived by 
NIM-A; namely, that NIM-A is communicating with 
other modules of UCN 14. In addition this status 
message may include data which NIM-B uses to 
update its data base so that the data base of NIM- 
B is substantially the same as that of primary NIM- 
A. This facilitates NIM-B's being able to assume 
uh3 functions of NIM-A with a minimum of delay 
upon a failover. This message sent by NIM-A to 
NIM-B over bus 16 is sometimes referred to as a 
redundancy message. 

NIM-B will transmit a status message to NIM-A 
over communication bus 16 including NIM-B's sta- 
tus and that of UCN 14 as perceived by NIM-B 
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after receiving a predetermined number of redun- 
dancy messages from NIM-A over communication 
bus 16. such as twenty, or at least once every 
second. 

The type of failures, or faults, that can result in 5 
NIM-A failing over to NIM-B are: if NIM-A suffers a 
hardware failure or a software failure; if NIM-B does 
hot receive a status message from NIM-A over 
buses 16 or 18 of LCN 12 or UCN 14 for 2.5 
seconds in the preferred embodiment; if NIM-A is io 
unable to transmit a status message ^to NIM-B and 
receive a response from NIM-B over communica- 
tion bus 16 of LCN 12 within 60 seconds; and NIM- 
A is unable to communicate with any module of 
UCN 14 for more than 12 seconds and NIM-B is rs 
able to so communicate. 

NIM-3 is deemed to have a failure if it has a 
hardware or software fault; if NIM-A does not re- 
ceive at least one status message from NIM-B over 
either communication bus 16 of LCN 12 or commu- 20 
nication bus 18 of UCN 14 during the previous 60 
seconds; or if NIM-B does not receive any status 
messages from NIM-A over bus 16 of LCN 12 for a 
period of 2.5 seconds but can receive messages 
from NIM-A over communication bus 18 of UCN 25 
14. 

Figure 3 is a truth table describing the actions 
taken by NIMs 20A and 20B upon the occurrence 
of certain conditions to minimize the consequences 
of such occurrences upon the operation of process 30 
control system 10. Row 1 describes the situation 
when both LCN 12 and UCN 14 are operating 
properly and neither primary NIM-A nor secondary 
NIM-B has a hardware or a software failure that 
prevents it from operating properly. 35 

The situation described in row 2 is one in 
which primary NIM-A is unable to transmit or re- 
ceive signals from the communication media 18 of 
UCN 14. Such a situation can occur if both of its 
drop cabies 26A and 26B have been severed, for 40 
example. This occurrence is detected in the follow- 
ing way- NIM-B will transmit to NIM-A over bus 18 
of UCN 14 a status message which includes data 
signifying that NIM-B's status is all right, as is that 
of LCN 12, and that NIM-B has received a status 45 
message from NIM-A over LCN bus 16. Since NIM- 
A is unable to receive a status message from NIM- 
B over UCN bus 18 because drop cables 26A and 
26B are severed, the failure of NIM-A to receive a 
status message from NiM-B or to communicate so 
with any other module of UCN 14 for one second 
results in NIM-A recognizing that it has an UCN 
failure. NIM-A will transmit a redundancy message 
to NIM-3 over LCN bus 16 at least once a second 
which rrvessage contains data informing NIM-B that 55 
NIM-A is isolated from UCN 14. NIM-B will transmit 
status messages to NIM-A over LCN bus 16 pe- 
riodically at least once per second. After a 500 



msec, delay , NIM-B listens to UCN bus 18 for a 
message frcm NIM-A. After five such attempts, 
NIM-B sends a message to NIM-A over LCN bus 
16 commanding NIM-A to terminate operations, 

and NIM-B takes over the functions of NIM-A. NIM- j 

B will then transmit a message to universal station 
32 concerning what has happened so that the 
operators of the process can take appropriate ac- 
tion to correct the problem, in this case, severed 
drop cables 26A and 26B. 

The conditions described in row 3 are similar 
to those of row 2 except that secondary NIM-B is 
unable to communicate over UCN bus 18 because 
its drop cables 28A and 28B are severed, for 
example, NIM-B will attempt to transmit a status 
message over UCN bus 1 8. NIM-A, since it did not 
receive a status message from NIM-B within the 
past second, does not send a status message to 
NIM-B over UCN bus 18. NIM-A will send a redun- 
dancy message to NIM-B over LCN -bus 16 inform- 
ing NIM-B that NIM-A did not receive a status 
message from NIM-B over bus 18 within the allot- 
ted time period, one second. NIM-B will then trans- 
mit a status message to NIM-A over LCN bus 16 
containing data that NIM-B is unable to commu- 
nicate with any modules of UCN 14. NIM-A after 
thirty attempts to receive a message from NIM-B 
over bus 18, NIM-A will send a message to NIM-B 
over LCN bus 16 for NIM-B to terminate its oper- 
ations. NIM-B will in the mean time retry five times 
to send a status message to NIM-A over bus 18. If 
NIM-B does not receive a message from NIM-A 
over bus 18 of UCN 14 after five tries, NIM-B will 
terminate its operations. Thus. NIM-B under these 
circumstances is terminated by NIM-A or by its 
own decision. 

The conditions described in row 4 of Fig. 3 
arise if the connectors 22A 22B of NIM-A fail. The 
transmission of status messages between NIM-B 
and NIM-A is as described above with respect to 
messages transmitted over UCN bus 18. However, 
when primary NIM-A attempts to send the usual 
redundancy message to NIM-B after connectors 
22A and 22B fail, NIM-A is unable to do so even 
though it tries at least once every second. Since 
the redundancy message normally transmitted by 
NIM-A to NIM-B over LCN bus 16 is not received 
by NIM-B, NiM-B after 1.7 seconds have elapsed 
begins transmitting requests to NIM-A over LCN 
bus 16 for NIM-A to retransmit its redundancy 
message over bus 16. This request is repeated 
three times. If no response to its requests are 
received by NIM-B after 0.8 seconds after the third 
request was transmitted, NIM-B will have received 
a status message from NIM-A over bus 18 of UCN 
that NIM-A is unable to communicate with any of 
the modules of LCN 12. NIM-B will then send a 
message to NIM-A over UCN bus 18 telling NIM-A 
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to terminate operations since it is unable to com- 
municate with LCN 12. Upon the receipt of such a 
message, NIM-A terminates operation and fai lover 
to NIM-B occurs. NIM-B will then notify module 32 
of LCN 12 what has occurred. 

The circumstances described by row 5 of Fig. 
3 occur if the drop cables 24-A and 24-B of NIM-B 
are cut are severed. When NIM-B transmits its 
status of LCN 12 to NIM-A over UCN bus 18, it will 
report that it is unable to communicate with any of 
the modules of LCN 12. NIM-A will transmit its 
status message once a second to NIM-B over UCN 
bus 18 to the effect that in so far as NIM-A is 
concerned, it can communicate with LCN 12 but 
not with NIM-B. NIM-A will attempt to transmit its 
redundancy message to NIM-B over LCN bus 16. 
Since NIM-B can not receive this message, NIM-B 
will after 1.7 seconds has elapsed, transmit three 
requests to NIM-A to the redundancy message 
over LCN bus 16. NIM-B waits for another 0.8 
seconds and if NIM-B does not receive the re- 
quested message from NIM-A during that perio-J. 
NIM-B concludes that it can not communicate with 
modules on LCN 12 Since NIM-B has received a 
status message from NIM-A that NIM-A can com- 
municate with the modules of LCN 12, NIM-B ter- 
minates its operations. NIM-A then notifies univer- 
sal station module 32 of LCN 12 of the state of 
affairs. 

The situation described by row 5, of Rg. 3 can 
also occur if NIM-B should suffer a transmitter 
failure which is not detected and therefore is not 
reported as a hardware failure. Under such cir- 
cumstances, NIM-B will transmit a routine status 
message to NIM-A including the status of LCN 12 
as perceived by NIM-B at least once a second over 
bus 18. NIM-A will transmit a routine status mes- 
sage to NIM-B including the status of LCN 12 as 
perceived by NIM-A over bus bus 18. Primary NIM 
20A will send a normal redundancy message to 
secondary NIM 20B over LCN bus 16. While NIM- 
B can receive this redundancy message from NIM- 
A, it cannot transmit an appropriate status message 
to NIM-A over LCN bus 16. If primary NIM 20A 
does not receive a proper message from NIM-B 
over LCN bus 16 for 60 seconds, NIM-A will trans- 
mit a message to NIM-B over UCN bus 18 telling 
NIM-B to terminate its operations. 

Row 6 describes the action taken by secondary 
NIM-B if NIM-B is unable to communicate with 
modules of the LCN. The action taken by NIM-B is 
to terminate its operation even though NIM-A is 
unable to communicate properly with modules of 
UCN 14 and NIM-B can. If both of the NIMs 20A 
and 20B are unable to communicate with LCN 12, 
no action is taken, row 7. If primary NIM 20A 
suffers an LCN failure and secondary NIM 20B an 
UCN failure, primary NIM 20A fails over to secon- 



dary NIM 20B, the situation described in row 8. If 
both NIM-A and NIM-B have an UCN failure, then 
no action is taken, row 9. If NIM-B is unable to 
communicate with modules on either LCN 12 and 

5 UCN 14, the situation described in row 10, NIM-B 
terminates operation. Row 11 describes the situ- 
ation where NIM-A can communicate only with 
LCN 12 and NIM-A can not communicate with 
either the LCN 12 or the UCN 14. Under such 

io circumstances NIM-B terminates its operations. If 
neither NIM-A nor NIM-B can communicate with 
with either LCN 12 or UCN 14, then nothing can be 
done, the situation described by row 12. With re- 
spect to the situations described in rows 7, 9 and 

is 12, the most probable cause of both NIMs being 
unable to communicate with the LCN network, row 
7; with the UCN network, row 9; or with both 
networks, row 12; is that both NIMs have been 
manually disconnected from the communication ca- 

20 bles of the indicated network, or networks. There- 
fore, the two NIMs wait to be manually reconnected 
to the communication cables of the LCN, or the 
UCN, or both, and then resume operations. 

Row 13 describes the situation that occurs 

25 when NIM-A cannot communicate with either LCN 
12 or UCN 14 but NIM-B can communicate with 
LCN 12 but not UCN 14. If this happens, NIM-A will 
failover to NIM-B. If NIM-A can not communicate 
with either LCN 12 or UCN 14, but NIM-A can, then 

30 NIM-A will failover to NIM-B, row 14. If NIM-A has a 
hardware or software failure that causes it to crash, 
then NIM-A will failover to NIM-B, row 15. If NIM-B 
has a hardware or software failure that causes NIM- 
B to crash, NIM-A will stop trying to communicate 

35 with NIM-B, row 16. 

If both trunk cables 16A and 15B of LCN 12 
are severed between NIM 20A and NIM 20B, both 
NIM-A and NIM-B can communicate with some of 
the modules of LCN 12 but not with each other 

40 over bus 16. When this occurs, NIM-B will transmit 
the normal status message including the status of 
LCN 12 to NIM-A over UCN bus 17 at least once a 
second. NIM-A will transmit the usual status mes- 
sage including tie status of LCN 12 to NIM-B over 

45 UCN bus 18 at least once a second. NIM-A will 
transmit the usual redundancy message including 
the internal status of NIM-A, the status of UCN 14 
as perceived by NIM-A and any update data NIM-A 
has for NIM-B to NIM-B over LCN bus 16. Since 

so NIM-B is unable to receive this message because 
of the cable fault in communication cables 16A and 
16B, NIM-B after 1.7 seconds has elapsed, trans- 
mits three requests to NIM-A over LCN bus 16 
requesting NIM-A to re-send the redundancy mes- 

55 sage over LCN cables 16A and 16B. If NIM-B does 
not receive a redundancy message from NIM-A 
within 0.8 seconds after transmitting the third re- 
quest for NIM-A to do so, and based on status 
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messages from NIM-A received over UCN bus 18, 
NIM-B determines that NIM-A can communicate 
with at least some modules of LCN 12. NIM-B then 
terminates its operation. Row 17 of the truth table 
of Fig. 3 describes this situation. 

From the foregoing, it is believed to be obvious 
that this invention provides an improved method by 
which redundant network interface modules inter- 
connecting the communication buses of two local 
area networks can determine when the primary is 
to fail over to the secondary based on information 
exchanged between the modules over the media of 
the two networks. 



Claims 

Claim 1. The method by which redundant network 
modules (NlM)s interconnecting the communication 
buses of a first and a second local area network 
communicate with one another over the commu- 
nication buses of the two networks, the first NIM 
being designated as the primary and the second 
NIM being designated as the secondary, the sec- 
ondary NIM taking over the function of the primary 
NIM on the occurrence of certain predetermined 
conditions; comprising the steps of: 
the first and second NIMs communicating with 
each other at predetermined time intervals over the 
communication buses of both networks, each com- 
munication between the NIMs over the communica- 
tion bus of the first network including the status of 
the second network as perceived by the NIM trans- 
mitting the message and each communication be- 
tween the NIMs over the communication bus of the 
second network including the status of the first 
network as perceived by the NIM transmitting the 
message; 

the primary NIM failing over to the secondary NIM 
when the primary NIM determines that it is unable 
to communicate with the first network and the sec- 
ondary NIM determines that is able to commu- 
nicate with the first network. 

Claim 2. The method of Claim 1 further comprising 
the step of the secondary NIM terminating its op- 
eration if the secondary NIM is unable to commu- 
nicate with the first network. 

Claim 3. The method of Claim 2 in v/hich each 
communication between the NIMs includes current 
operating status of the NIM originating such a 
communication, and further comprising the step of 
the secondary NIM terminating its operation if the 
secondary NIM detects it has suffered a hardware 
or a software failure. 

Claim 4. The method of Claim 3 further comprising 
the step of the primary NIM failing over to the 
secondary NIM if the primary NIM detects it has 
suffered a hardware or a software failure. 



Claim 5. The method of Claim 4 in which the 
primary NIM fails over to the secondary NIM with- 
out communicating the fact that it has suffered a 
hardware or a software failure to the secondary 
5 NIM. 

Claim 6. The method of Claim 5 in which the 
predetermined time intervals are one second. 
Claim 7. The method of Claim 6 in which the first 
local area network is a token passing network. 
io Claim 8. The method of Claim 7 in which the 
second local area network is a token passing net- 
work. 

Claim 9. In a process control system including an 
universal control network (UCN) and a local control 

15 network (LCN), each being a local area network 
(LAN) with each network including a plurality of 
modules, the modules of each network commu- 
nicating with one another over a communication 
bus. a pair of network interface modules (NlM)s, 

20 one of said NIMs being designated "as a primary 
and the other NIM being designated as a secon- 
dary, each of the NIMs being connected between 
the communication buses of the UCN and the LCN 
and functioning to provide communication and data 

25 translation between the UCN and the LCN, the 
primary NIM providing such function unless re- 
olaced by the secondary NIM. and the secondary 
:'avA ising ava,!at!e to provide this function instead 
of the primary NIM upon the occurrence of pre- 

30 determined conditions; comprising the steps of: 

1, the secondary NIM transmitting to the primary 
NIM at least once during every first period of 
time over the UCN's communication bus a sta- 
tus message, the secondary NIM's status mes- 
as sage including the current operating status of 

the secondary NIM and the status of the LCN as 
determined by the the secondary NIM; 

2, the primary NIM transmitting to the secondary 
NIM at least once during every first period of 

40 time over the UCN communication bus a status 
message, the primary NIM's status message 
including the current operating status of the pri- 
mary NIM and the status of the LCN as deter- 
mined by the the primary NIM; 

45 3, the primary NIM transmitting to the secondary 
NIM at ieast once during every first period of 
time over the LCN communication bus a status 
message, the primary NIM's status message 
including current operating status of the primary 

so NIM. of the UCN as determined by the primary 
NIM, and updating data with which the secon- 
dary NIM updates the secondary NIM's data 
base so that the data base of the secondary 
NIM substantially matches the data base of the 

55 primary NIM; 

4, the secondary NIM transmitting to the primary 
NIM upon receiving a predetermined number of 
messages from the primary NIM in step 3 con- 
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taining updating data or during every first period 
of time, which ever first occurs, over the LCN 
communication bus a status message, the sec- 
ondary NIM's status message including the cur- 
rent operating status of the secondary NIM and s 
the current operating status of the UCN as de- 
termined by the the secondary NIM; 

5, the primary NIM failing over to the secondary 
NIM if the primary NIM if it is unable to commu- 
nicate with the LCN, and the secondary NIM is 10 
able to communicate with the LCN, and status 
messages containing such data are received by 
both NIMs; 

6, the secondary NIM terminating its operations 

if it determines that it is unable to communicate rs 
with the LCN; 

7, the primary NIM terminating operation of the 
secondary NIM if the secondary NIM is unable 
to communicate with one of the LANs; 

8, the primary NIM terminating communications 20 
with the secondary NIM if the secondary NIM 
crashes; and 

9, the secondary NIM taking over the function of 
the primary NIM if the primary NIM crashes, if 

the primary NIM is commanded to shut down by 25 

a command from a universal control station 

module of the first network, or if the primary 

NIM is powered down; 
Claim 10. The method of Claim 9 in which the first 
period of time is one second. 30 
Claim 11. The method of Claim 10 in which the 
universal control network is a token passing net- 
work. 

Claim 12. The method of Claim 11 in which the 
local control network is a token passing network. 35 
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© A method by which redundant network interface 
modules (NIM)s interconnecting the communication 
buses of two local area networks communicate with 
one another at predetermined time intervals over the 
communication buses of both networks. One of the 
redundant pair of NIMs is designated as the primary 
and the other as the secondary. Contents of the 
information communicated between the NIMs over 
the communication bus of the first network includes 
the status of the transmitting NIMs ability to commu- 
nicate with the second network and the information 
communicated between the NIMs over the commu- 
nication bus of the second network includes the 
status of the transmitting NIM's ability to commu- 
nicate v/irn the first network. Based on the informa- 
tion exchanged, the failure of the NIMs to commu- 
nicate as scheduled, and the internal status of each 
NIM as understood by that NIM, the NIM decide 
when failover from the primary NIM to the secondary 
NIM occurs. 
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